From 15977ad4fd3ef15bcfe47a57219ecd736d744318 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Jun 2025 16:22:08 -0400 Subject: [PATCH 1/3] First draft --- docs/management/admin/host-isolation-ov.asciidoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index f199ee7e33..ea5a94d0f4 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -41,10 +41,11 @@ All actions executed on a host are tracked in the host’s response actions hist [[isolate-a-host]] == Isolate a host -.Isolate a host from a detection alert +.Isolate a host from an event or a detection alert [%collapsible] ==== -. Open a detection alert: +. Open an event or a detection alert: +* From the event analyzer view: Click an event. * From the Alerts table or Timeline: Click *View details* (image:images/view-details-icon.png[View details icon,16,15]). * From a case with an attached alert: Click *Show alert details* (*>*). . Click *Take action -> Isolate host*. From 98189917e180562359fb02fefb89b9d5c5c2ef4b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Jun 2025 16:28:16 -0400 Subject: [PATCH 2/3] docs for respond action --- docs/management/admin/host-isolation-ov.asciidoc | 5 +++-- docs/management/admin/response-actions.asciidoc | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index ea5a94d0f4..5abbec9254 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -99,10 +99,11 @@ image::images/host-isolated-notif.png[Host isolated notification message,350] [[release-a-host]] == Release a host -.Release a host from a detection alert +.Release a host from an event or detection alert [%collapsible] ==== -. Open a detection alert: +. Open an event or detection alert: +* From the event analyzer view: Click an event. * From the Alerts table or Timeline: Click *View details* (image:images/view-details-icon.png[View details icon,16,15]). * From a case with an attached alert: Click *Show alert details* (*>*). . From the alert details flyout, click *Take action -> Release host*. diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index ba8aa62700..c41edb13ca 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -29,7 +29,7 @@ Launch the response console from any of the following places in {elastic-sec}: * *Endpoints* page -> *Actions* menu (*...*) -> *Respond* * Endpoint details flyout -> *Take action* -> *Respond* -* Alert details flyout -> *Take action* -> *Respond* +* Alert or event details flyout -> *Take action* -> *Respond* * Host details page → *Respond* To perform an action on the endpoint, enter a <> in the input area at the bottom of the console, then press *Return*. Output from the action is displayed in the console. From 79b44fcb2134179df3def1153eef46863a2c89c5 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 3 Jun 2025 08:36:23 -0400 Subject: [PATCH 3/3] minor edit --- docs/management/admin/host-isolation-ov.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index 5abbec9254..567e1f6e82 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -99,7 +99,7 @@ image::images/host-isolated-notif.png[Host isolated notification message,350] [[release-a-host]] == Release a host -.Release a host from an event or detection alert +.Release a host from an event or a detection alert [%collapsible] ==== . Open an event or detection alert: